From 544df97b4102069b59dc8f9014bab645c4fd7690 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Mon, 2 Dec 2024 14:42:23 +0100
Subject: [PATCH] ukify: ellipsize CN to not exceed maximum length

Currently the generation of the certificate fails if len(fqdn) >= 43.
Ellipsize the fqdn to let the tests pass in all cases.

Fixes https://github.com/systemd/systemd/issues/34581.
---
 src/ukify/ukify.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/ukify/ukify.py b/src/ukify/ukify.py
index a5719615cc3..e661dfe5485 100755
--- a/src/ukify/ukify.py
+++ b/src/ukify/ukify.py
@@ -1387,7 +1387,12 @@ def generate_keys(opts: UkifyConfig) -> None:
     # are specified as input paths.
     if opts.sb_key and opts.sb_cert:
         fqdn = socket.getfqdn()
+
         cn = f'SecureBoot signing key on host {fqdn}'
+        if len(cn) > 64:
+            # The length of CN must not exceed 64 bytes
+            cn = cn[:61] + '...'
+
         key_pem, cert_pem = generate_key_cert_pair(
             common_name=cn,
             valid_days=opts.sb_cert_validity,